How do I log every command executed by a user?
Add this line to your pam config responsible for logins (its system-auth on redhat based distros) session required pam_tty_audit.so enable=* To find out what was done, you can use. ausearch -ts <some_timestamp> -m tty -i This produces an output like this: type=TTY msg=audit(11/30/2011 15:38:39.178:12763684) : tty pid=32377 uid=root auid=matthew major=136 minor=2 comm=bash data=<up>,<ret> The only … Read more